Defending Computer Networks Lecture 7: Port Scanning Stuart Staniford Adjunct Professor of Computer Science
Logis;cs Aim to give out HW2 on Thursday
Main Goals for Today TCP Portscanning Detec;on of Portscanning
Refresh: 3- way handshake Syn Packet Syn- ack Packet Client Ack Packet Normal data exchange Server
Refresh: IP Address Space Different organiza;ons get different amounts Class A: x.0.0.0/8 (2 24 = 16,777,216) x.1.1.1 is in, as is x.254.254.254) Huge org eg (DOD is 11.0.0.0/8 IBM is 9.0.0.0/8) Class B: x.y.0.0/16 (2 16 = 65536) Mid- sized organiza;on eg Cornell has 128.253.0.0/16, 128.84.0.0/16, 132.236.0.0/16 and 140.251.0.0/16 Class C: x.y.z.0/24 (2 8 = 256) Small organiza;ons. Can also have intermediate bitmasks. eg /22
Port Scan Scenarios Bad guy wants to map an address space Old style: across the internet S;ll happens for internet facing servers But rarely can map en;re networks any more Newer style: has a compromised machine on an internal network Wants to know what servers are here? Specifically, which machines have open ports?
Class B Portscan Example 2^16 addresses Say bad guy just scans on port 80 Eg say he knows an IIS or Apache exploit. Send out 2 16 syn packets to port 80 x.y.0.0, x.y.0.1, x.y.0.2, x.y.255.254 Horizontal scan on port 80 See who sends back a syn- ack. Means they have a process answering on port 80. Find all the web servers this way. Agack em! Start with sending an ack pkt to establish conn. Or not if we don t send the 3 rd handshake, system typically won t log. Half- open connec;on
Ver;cal Port Scan of 1 IP Targelng a single IP address. Scan all 2 16 ports. Find all ports answering
What Happens if Port Not Open No machine at all. Typically get an ICMP response from a router Special protocol for Internet error message packets Saying no host at this address Machine but with closed port Typically get a reset packet Like a syn- ack, but with R set instead of S and A Seman;cs stop this immediately Security system (firewall) Silence (depending on configura;on)
Visualizing Scans Port IP Address
Small Piece of a Large Random Scan Port IP Address
Let s try it sudo nmap - n ss 10.0.0.2
What s Happening on The Wire sudo tcpdump - n - i en3 sudo nmap - n ss 10.0.0.2
TCP Fin Flag Used to indicate orderly close of a connec;on. Fin (F) 0x0x in TCP header flags field Either side may issue a packet with FIN in. Can be a data packet. Other side should respond with a FIN pkt. Connec;on is then over and no more pkts should be sent.
FIN Scanning
Let s try these and compare tcpdump - n - i en0 nmap - n ss 10.0.0.2 nmap - n sf 10.0.0.2 If ;me nmap - n sx 10.0.0.2 nmap - n sn 10.0.0.2
What is Advantage Some early packet filters Network access control devices Would just examine syns to enforce policy Eg if we want to block inbound email, No syns to port 25. Allow all non- syn pkts through on the theory that end- host will not actually allow a connec;on with no syn. But, end- host might respond to FIN scan, allowing agacker to portscan it through filter.
Let s look at everything nmap can do Just for kicks May not work, is slow/flaky at ;mes sudo nmap - n A T4 10.0.0.2
hgps://nakedsecurity.sophos.com/2015/09/11/ us- agency- in- charge- of- power- grid- and- nukes- keeps- gelng- breached/
Algorithms to Detect Portscans First brush with Network Intrusion Detec;on General art/science of detec;ng badness by watching packets fly by. Invented at UC Davis Todd Heberlein et al circa 1989 Network Security Monitor Portscan detec;on is a nice sample problem. Illustrates many of the issues in an easy- to- follow context.
Firstly We Need to Get Packets Old Promiscuously monitor a hub/wire Modern Span port on switch Network tap device Detec;on device itself inline IPS Intrusion Preven;on System For CS 5434 purposes, libpcap man pcap will get you started.
Then we need a data structure Simplest possible thing is a hash table keyed on client IP With per- connec;on counts of relevant stuff Eg just count syns Portscanners will issue more syns than average. Alert when count goes over threshold But what s likely to go wrong? 10.4.1.4:3 10.32.5.1:7 10.11.43.7:1
Another possibility Look for the actual sequen;al behavior Syn- >10.4.35.1 Syn- >10.4.35.2 Syn- >10.4.25.3 Implement by having a last dest field in table entry Keep counts of number of increment- by- ones Fragile What could go wrong?
Keep track of unique dests/src? Now have to have a way to know what is a unique dst for that src? 10.4.1.4:3 10.32.5.1:7 10.11.43.7:1
Beger Idea Key off the idea that port- scanners make a lot of failed connec;ons. Legit users make only a few So keep track of failed- succeed count Alert when goes over threshold. How can the agacker game this? Doesn t work in the presence of packet- filter/ firewalls.
Another Idea Learn the probability of a syn (say) being to a des;na;on: P(D) Popular servers will have high P(D) (say 5% or 1%) Non- servers will have very low P(D) (1 in 10 6 or 10 9 ) Take log(p(d)) and accumulate that in hash table Anomaly score Portscanners will accumulate a lot of anomaly score Alert if over a threshold Harder for agackers to game don t know P(D) Otherwise wouldn t need to portscan
Extending the basic idea Keep flow table state Know when we see things like unexpected F Give that a high anomaly score F 23 F 97 F 1 10.4.1.4:3 10.32.5.1:7 10.11.43.7:1